TOCTOU Race Condition in SWUpdate by SBABic
CVE-2025-41259

7.3HIGH

Key Information:

Vendor: Sbabic
Status: Swupdate
Vendor: CVE Published:; 3 June 2026

What is CVE-2025-41259?

SWUpdate versions prior to 2026.05 are susceptible to a time-of-check time-of-use (TOCTOU) race condition. This vulnerability permits local unprivileged attackers to escalate their privileges to root level or install untrusted content via a signed update mechanism. By exploiting this flaw, attackers can manipulate the update process to execute malicious scripts, posing severe risks to system integrity and security.

Affected Version(s)

SWUpdate 0 < 2026.05

References

https://github.com/sbaresearch/advisories/tree/public/202...

third-party-advisory

https://github.com/sbabic/swupdate/commit/f4bd64260e233e2...

patch

https://github.com/sbabic/swupdate

product

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Reinhard Kugler (SBA Research)

CVE-2025-41259 Data

JSON

Sbabic

What is CVE-2025-41259?

Affected Version(s)

References

CVSS V4

Timeline

Credit